Red Flag and Identity Theft Prevention Program

Written by Fran Lawrence.

The Federal Trade Commission (FTC) has mandated regulation that requires universities to develop and implement a written “identity theft detection, prevention and mitigation program” in response to certain modifications to the Fair and Accurate Credit Transactions Act of 2003.

For this program, identity theft is defined as an act of fraud using the credentials of others, rather than the actual theft of the identity credentials themselves. The Red Flag initiative assumes a theft has occurred and is in the process of detecting and mitigating any further exposure to the university or the customer. Identity thieves use people’s personally identifying information to open new accounts and misuse existing accounts, creating havoc and fraud and costing consumers and businesses billions of dollars every year.

The university’s policy is to protect our customers and their accounts from identity theft and to comply with the FTC’s Red Flags rule. The Board of Trustees approved and established the initial Identity Theft Prevention Program and the Red Flag and Identity Theft Prevention Program Committee in 2010. The University Controller is the designated program administrator responsible for the oversight, development, implementation and administration. In addition to the University Controller’s Office, the committee has representatives from Human Resources Information Management & Analytics, Procurement & Business Services, University Cashier’s Office, Information Security, Risk and Assurance, Campus Enterprises, University Compliance and Ethics Officer and Associate General Counsel (for legal counsel to committee).

The committee’s functions include:

  • Identifying relevant identity theft red flags for our university.
  • Detecting those red flags.
  • Responding appropriately to any red flags detected to prevent and mitigate identity theft.
  • Updating the program document periodically to reflect changes in risks. 

How does this impact you? Awareness is important, and you may be notified that you have to take the annual Red Flags training. Training is required annually for employees who have access to covered accounts, that are involved in business processes associated with these covered accounts or those employees working in University Departments that support those processes. If you are made aware of any potential identity theft, please report it to the University Controller at university-controller@ncsu.edu